cve-2024-2421
Vulnerability from cvelistv5
Published
2024-05-30 17:24
Modified
2024-08-01 19:11
Severity
Summary
LenelS2 NetBox Improper Neutralization of Special Elements
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:carrier:lenels2_netbox:0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "lenels2_netbox",
"vendor": "carrier",
"versions": [
{
"lessThanOrEqual": "5.6.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2421",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-31T16:38:35.581709Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:29:16.378Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:11:53.525Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.corporate.carrier.com/Images/CARR-PSA-2024-01-NetBox_tcm558-227956.pdf"
},
{
"tags": [
"government-resource",
"x_transferred"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-151-01"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "NetBox",
"vendor": "LenelS2",
"versions": [
{
"lessThanOrEqual": "5.6.1",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Claroty Team82"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "LenelS2 NetBox access control and event monitoring system was discovered to contain an unauthenticated RCE in versions prior to and including 5.6.1, which allows an attacker to execute malicious commands with elevated permissions."
}
],
"value": "LenelS2 NetBox access control and event monitoring system was discovered to contain an unauthenticated RCE in versions prior to and including 5.6.1, which allows an attacker to execute malicious commands with elevated permissions."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-30T17:24:33.231Z",
"orgId": "e24e6442-3ae1-4538-a7b8-7ac95586db8f",
"shortName": "Carrier"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.corporate.carrier.com/Images/CARR-PSA-2024-01-NetBox_tcm558-227956.pdf"
},
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-151-01"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "LenelS2 advises customers to apply to the updated version of NetBox 5.6.2 or newer via the LenelS2 Partner Center. Please get in touch with your support channel partner for instructions."
}
],
"value": "LenelS2 advises customers to apply to the updated version of NetBox 5.6.2 or newer via the LenelS2 Partner Center. Please get in touch with your support channel partner for instructions."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "LenelS2 NetBox Improper Neutralization of Special Elements",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "e24e6442-3ae1-4538-a7b8-7ac95586db8f",
"assignerShortName": "Carrier",
"cveId": "CVE-2024-2421",
"datePublished": "2024-05-30T17:24:33.231Z",
"dateReserved": "2024-03-13T13:55:51.729Z",
"dateUpdated": "2024-08-01T19:11:53.525Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-2421\",\"sourceIdentifier\":\"productsecurity@carrier.com\",\"published\":\"2024-05-30T18:15:09.230\",\"lastModified\":\"2024-05-30T18:18:58.870\",\"vulnStatus\":\"Awaiting Analysis\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"LenelS2 NetBox access control and event monitoring system was discovered to contain an unauthenticated RCE in versions prior to and including 5.6.1, which allows an attacker to execute malicious commands with elevated permissions.\"},{\"lang\":\"es\",\"value\":\"Se descubri\u00f3 que el sistema de monitoreo de eventos y control de acceso LenelS2 NetBox conten\u00eda un RCE no autenticado en versiones anteriores a la 5.6.1 incluida, lo que permite a un atacante ejecutar comandos maliciosos con permisos elevados.\"}],\"metrics\":{},\"weaknesses\":[{\"source\":\"productsecurity@carrier.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"references\":[{\"url\":\"https://www.cisa.gov/news-events/ics-advisories/icsa-24-151-01\",\"source\":\"productsecurity@carrier.com\"},{\"url\":\"https://www.corporate.carrier.com/Images/CARR-PSA-2024-01-NetBox_tcm558-227956.pdf\",\"source\":\"productsecurity@carrier.com\"}]}}"
}
}
Loading...